lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.51.0608301849180.26107@faron.mitre.org>
Date: Wed, 30 Aug 2006 19:12:19 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Carsten Eilers <ceilers-lists@....de>
Cc: "Steven M. Christey" <coley@...re.org>, bugtraq@...urityfocus.com
Subject: Re:  JetBox cms (search_function.php) Remote File Include


On Wed, 30 Aug 2006, Carsten Eilers wrote:

> Bad test, I know, but a "quick$dirty" way to look, which
> parts are executed and which not.

Hey, it works :)

> >Notice the "?>" in front of the include statement, which closes off
> >the first bit of executable code.
>
> I'm not sure about the defintion of function-definitions.
> In a normal script it's possible to mix <?...?>-PHP-Code
> and HTML-Code, for example if there are many HTML-tags which
> otherwise hat to be echo'ed in PHP. Is this possible inside
> a function-definition? The PHP-Manual says nothing about
> this (or I did'nt found it :-) ).

Yes, this is possible, now that I've looked more closely.

1) A function definition can cross multiple <?php> tags

2) Because of (1), not every <?php> tag will be 'executed' at the moment
   of loading, if it's enclosed within a function definition.  The
   affected include statement was isolated within its own <?php> tag,
   which made it seem like it might execute upon loading.

3) You can have also HTML within that function definition, which will be
   printed out when the function is called, not when it is being parsed.

These interesting properties were what confused me.

> >So, this looks like it could be exploitable using a direct request to
> >search_function.php, since at the point of the include, the
> >$relative_script_path variable is *not* initialized.
>
> It someway looks like this, yes.

It looks like this, but the include does fall within the scope of the
function definition, once you merge all the <?php> constructs together.

So, this does not look exploitable.

> But I tend to the conclusion, the whole script is really only
> one function-definition.

I agree.

- Steve

P.S.  Here is some demonstration code to highlight some of what I
mentioned here.

=======================================================

... at the beginning of the file ...<br>
... begin definition for abc() - fragment 1 ...<br>
<?php
function abc () {
  echo "... executing first statement in abc() ...<br>";
?>
<b>... this HTML is within abc()'s definition  and will only be printed
out when abc() is called, not when this file is loaded.  Notice how
this HTML appears AFTER the "calling abc()" string in
the web output, but it appears BEFORE that string in the raw
source...<br></b>
... finishing abc() - closing brace - fragment 2 ...<br>
<?php
  echo "... executing last statement in abc() ...<br>";
}
?>
... more HTML cruft between php tags ...<br>
<?php echo "... calling abc() ...<br>"; abc(); ?>
... at the end of the file ...<br>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ